Moropo Limited (trading as DeviceCloud) is committed to protecting customer data. This page explains the controls, policies, and practices behind our platform.
Policies available to customers and prospects under NDA.
Security is built into how we operate. Our programme is underpinned by a set of written policies that are reviewed regularly and apply to everyone at the company.
Customer data is encrypted in transit and at rest using industry-standard algorithms, governed by our Encryption Policy.
Least-privilege access, enforced authentication, and regular access reviews protect every system we operate.
Critical data is backed up and tested so we can recover quickly from corruption, deletion, or failure.
Changes to production systems follow a reviewed, auditable process to keep our platform stable and secure.
Documented playbooks let us detect, contain, and communicate security incidents promptly and transparently.
Third-party vendors are assessed and monitored for security before and throughout our use of their services.
Our audit and assurance documents. Some are available to everyone; others require you to accept a short non-disclosure agreement, after which we email you a secure, time-limited link.
A one-page summary of our security programme. No NDA required.
Our latest SOC 2 Type II report. Available to reviewers under NDA.
Full third-party penetration test report. Available to reviewers under NDA.
The policies that govern our security programme are available to customers and prospects under NDA. Request access and our team will share the latest signed copies.
Defines the acceptable use of company computer equipment and systems to safeguard sensitive customer data.
Establishes the principles and guidelines for controlling access to systems owned by DeviceCloud.
Sets requirements for account authentication, including how passwords are generated, used, and protected.
Institutes controls to mitigate accidental loss, corruption, or deletion of company and customer data.
Guides the process of safely managing change across critical systems and products.
Defines a framework for determining the sensitivity of company data and systems and how to handle it.
Establishes how long data is retained and how it is securely disposed of to protect confidentiality.
Establishes practices for protecting data through encryption, both in transit and at rest.
Sets requirements for attracting, developing, and retaining competent, security-conscious personnel.
Establishes plans for reporting and responding to security incidents affecting corporate or customer systems.
Governs the selection, acquisition, and ongoing management of third-party vendors and their security.
We use a small number of trusted third-party providers to deliver our service. Each is assessed under our Vendor Management Policy. The devices that run your apps are hosted on our own on-premises hardware, not a third-party cloud.
| Provider | Purpose | Data processed | Region |
|---|---|---|---|
| Supabase | Primary database, authentication, and file storage | Account data, user credentials, uploaded files | — |
| Backblaze B2 | Object storage for test artifacts | Screenshots, recordings, app binaries | — |
| Paddle | Payments and subscription billing (Merchant of Record) | Billing and contact details | — |
| Resend | Transactional email delivery | Email addresses, message content | — |
| Twilio | SMS and phone messaging | Phone numbers, message content | — |
| Google Workspace | Identity provider (SSO) and business email | Authentication data, correspondence | — |
| Anthropic | AI-powered customer support assistant | Support conversation content | — |
| Axiom | Application logging and observability | Application and access logs | — |
| BetterStack | Uptime monitoring and log management | Operational logs, uptime data | — |
Questions about our subprocessors? Email security@devicecloud.dev.
Our team is happy to help with security reviews, due-diligence questionnaires, and document requests.